Skip to main content

Password Policy Profile

The Password Policy profile allows administrators to set up and customize the device lock policies on enrolled devices. With this profile, administrators can establish rules and criteria for passwords, PINs, or other authentication methods used to unlock devices. 

To create a device lock policy and deploy it to the enrolled device(s), follow these steps:

  1. Navigate to  the SureMDM web console > Profiles > Windows > Add > Password Policy > Configure.

  2. Enter a Profile Name.

  3. In the Device Password Policy section, enter the following details:

SettingsDescription
Enable Password (FKA. Device Lock)Select how password-related security settings are applied on the device. This setting determines whether SureMDM manages and enforces password policies or leaves them to previously configured or default Windows OS behavior. Select one of the following option:
  • Not Configured: The setting remains unmanaged and follows the existing Windows configuration.
  • Enable: SureMDM applies and enforces the configured password policies on the device.
  • Disable: SureMDM removes the password policy configuration from the device wherever supported.
Windows Device Type All - Supports all Windows device types  Desktop - Supports all Windows 10 desktop devices                 
Minimum Password QualitySelect a PIN type from the following: Simple Alphanumeric Numeric  Any    
Minimum Device Password Complex CharactersSelect an option (complex characters) from the following required for a strong PIN or Password: Digits Only Digits and lowercase letters are required Digits, lowercase letters and uppercase letters are required Digits, lowercase letters, uppercase letters, and special characters are required 
Minimum Password LengthSpecifies the minimum number of characters required for the device password.
Maximum Password Failed AttemptsSpecifies the maximum number of consecutive unsuccessful sign-in attempts allowed on the device. When this limit is exceeded, the device enters BitLocker recovery mode, preventing access to data until the recovery key is provided. This setting is applicable only when BitLocker is enabled on the device.
Password Expiration (In Days)Maximum number of days the password will be active after which password expires.
Password HistoryNumber of times the previously created password cannot be selected.
Maximum Inactivity Time To Device Lock (In Minutes)Period of inactivity before the devices’ screen locks automatically.
Note: For this option to take effect, ensure that the device is either rebooted or the user signs out and signs back in after the policy is applied.
Require Password when Device Returns From Idle StateForce the user to input the password every time the device returns from the idle state.
Note: This feature is supported only on Windows mobile and holographic devices.
Block Automatic Encryption During AADJRestrict automatic device encryption during first use when the device is Microsoft Entra ID (formerly Azure Active Directory) Joined (AADJ).
Note: This feature is supported only when the device is enrolled through Windows OOBE / Windows Autopilot.
Allow Federal Information Processing Standard (FIPS) PolicyAllow federal information processing standard (FIPS)  policy.
Note: This feature is supported only when the device is enrolled through Windows OOBE / Windows Autopilot.
Allow Windows Hello Device AuthenticationAllow the use of Windows Hello for authenticating device.
Note: This feature is supported only when the device is enrolled through Windows OOBE / Windows Autopilot.
Preferred Microsoft Entra ID (formerly Azure Active Directory) Tenant DomainEnter the Microsoft Entra ID (formerly Azure Active Directory) tenant domain name. The user can sign in without typing the domain name.
Note: This feature is supported only  when the device is enrolled through Windows OOBE / Windows Autopilot.
note
  1. Password Policy does not work for domain-joined devices.
  2. The password must contain alphanumeric and special characters.
  3. Password Policy will not be enforced if any password restrictions or conflicting settings already exist on the device from another source.
  4. Some password-related policies may not be enforced on devices if local user accounts have User cannot change password or Password never expires enabled. For consistent policy enforcement across all devices in your tenant, you can use the following sample script to disable these settings on all local user accounts before applying the policy:

Sample Script: 


  Get-LocalUser | ForEach-Object {
    Set-LocalUser -Name $_.Name -PasswordNeverExpires $false 
    net user $_.Name /passwordchg:yes | Out-Null
  }

The newly created profile will be listed in the Profile List section. 

  1. Go back to the Home tab and select the Windows device(s) or group(s).

  2. Click Apply to launch the Apply Job/Profile To Device prompt.

  3. Select the profile under All Jobs/Profiles.

  4. Click Apply in the Apply/Profile To Device prompt.